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The Information Commissioner’s response to public consultation 
entitled Reforming the framework for better regulation from the 
Department of Business Energy and Industrial Strategy (BEIS) 


Introduction 


1) The Information Commissioner's Office (ICO) is responsible for regulating 
both data protection and freedom of information, and is empowered to take 
regulatory action under legislation that includes the UK General Data 
Protection Regulation (UKGDPR), the Data Protection Act 2018 (DPA), the 
Freedom of Information Act 2000 (FOIA), the Environmental Information 
Regulations 2004 (EIR), the Privacy and Electronic Communications 
Regulations 2003 (PECR) and the Networks and Information Systems 
Regulations 2018 (NIS). 


2) The ICO welcomes the opportunity to respond to the consultation on 
reforming the framework for better regulation. The ICO recognises that the 
UK’s exit from the European Union affords us an opportunity to look afresh 
at the domestic regulatory framework to ensure that it can realise the 
opportunities of the global digital economy, whilst continuing to effectively 
serve regulated communities and the citizens it seeks to protect. 


3) The ICO has been engaging positively with the Government on its proposals 
to reform the UK’s data protection regime set out in its consultation Data: a 
new direction? and have recently published a detailed response to it*?. The 
proposals include a package of reform to ICO’s governance model and 
powers, including a number around accountability that overlap with those 
being consulted on in this consultation. 


4) This response therefore does not seek to replicate our response to the data 
protection reform proposals, but instead takes a broader look at the 
regulatory landscape in which the ICO currently operates, sets out the ICO’s 
view on what good regulation looks like in the 21st century with reference 


1 Data: A new direction consultation DCMS 
2 ICO Response to Data: A new direction consultation 
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to the concepts and principles described in the government’s consultation, 
and uses data protection regulation for illustration where applicable. 


5) It should also be noted that the ICO has been actively engaging with other 


consultations that touch on regulatory reform and may be relevant to this 
response, including the Online Safety Bill?, the Digital identity and attributes 
consultation* and A new pro-competition regime for digital markets?. 


The key principles of good regulation 


6) It is the responsibility of Government and Parliament to determine the 


7 


) 


shape of the legislative and regulatory framework. The ICO’s role is to 
provide independent expert advice to government based on our experience 
of the regulatory landscape. As a whole-economy regulator that regulates 
across international borders, the ICO has considerable experience of 
operating within complex regulatory markets and the growing dependencies 
between the work of individual regulators. Based on this experience, we 
have set out our thoughts on the key principles of good regulation that we 
would recommend are borne in mind when making changes to the 
regulatory framework. 


The regulatory framework needs to provide net benefits to UK society as a 
whole: Any regulatory framework needs to protect and benefit people, 


businesses and the regulated communities, and to promote innovation, 
economic growth and fair competition. There are no inherent tensions in 
these different aims - in fact they are complementary of each other - 
providing that they are all sufficiently balanced within the framework. It is 
essential though that the individual is at the heart of any reforms if the 
goals of innovation, fair competition and economic growth is going to be 
achieved. 


3 ICO Response to draft Online Safety Bill 
4 ICO Response to Digital identity and attributes consultation 
5 ICO Response to A new pro-competition regime for digital markets 
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8) 


9) 


With respect to data protection, there has been rapid change in the use of 
personal data over the last decade. Innovative technology, particularly in 
the fields of AI and machine learning, allow us to process huge volumes of 
information, much of this personal data, with a speed and efficiency 
unknown in our history. New uses have emerged that show the power of 
these techniques to deliver transformative social and economic benefits. 
However, for society to fully realise the benefits of these innovations, 
individuals must be able to have trust in how organisations are handling 
their information; by those organisations being accountable for how they 
collect, store, use and share it and to ensure that individuals can exercise 
their rights over that data. Without trust, individuals are less likely to share 
their information and innovation may be hampered. 


Agile and Proportionate Regulation: The consultation refers to the 
importance of agile and proportionate regulation and suggests the 
introduction of an explicit ‘Proportionality Principle’. Proportionality is at the 
heart of any good regulatory system - where interventions made are 
proportionate to the benefits gained, are evidenced based and where 
regulators have regard to the principles of competition and innovation. 


10) Proportionality is already embedded in regulatory frameworks and through 
statutory objectives provided to regulators — for example through the 
Regulators’ code. The ICO has a strong track record of proportionate risk- 
based regulation. For example, our Regulatory Action Policy® sets out a risk- 
based approach to acting against organisations and individuals who have 
breached the legislation we regulate. It focuses on areas of highest risk and 
most harm and that any action is fair, proportionate and timely. This is 
supported by an ICO framework for assessing the likelihood and severity of 
data protection harms, as set out in the Regulatory Policy Methodology’. 


11) There may be merit in an explicit ‘Proportionality Principle’ to provide 
consistency and embed it further across the UK regulatory landscape. 
However, it is important that a generic proportionality requirement reflects 


€ ICO Regulatory Action Policy 
7 ICO Regulatory Policy Methodology Framework 
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14) 


15) 


the tailored approaches to regulatory proportionality already taken by 
individual regulators and does not cut across or undermine it. 


Outcomes based regulation avoids a one size fits all approach and encourages 
innovation, but it does present challenges and risks: The consultation 
proposes adopting a more ‘common law’ approach to regulation, replacing 
prescriptive statutory frameworks with a more outcomes-based approach. 


The ICO has always taken an outcomes-based approach to regulation. The 
data protection framework is principles based, which allows for flexibility of 
regulation — essential as a whole economy regulator, where the level or risk 
varies across sectors, businesses, and organisations. The risk-based approach 
described above is underpinned by tailored guidance developed in 
consultation with sectors. In addition, the ICO’s accountability framework is 
an example of how we adopt an agile approach to meeting the needs of 
organisations. The framework supports organisations to put in place 
appropriate and effective policies, procedures and measures proportionate to 
the risks of the data they are processing. The agile approach also seeks to 
adapt ICO codes of practice and guidance to the needs of modern technology. 
The support UKGDPR also provides for industry-driven codes of conduct is 
also a good example of how the core legislation can enable and support agile 
regulation focused on outcomes rather than inputs. 


However, it is important to understand the context in which a common law 
approach to regulation could apply. As the consultation acknowledges, the 
extent to which this can be adopted will depend on the legal basis for and the 
maturity of the area of regulation. Data protection law (the UKGDPR) is based 
on internationally recognised human right standards and principles, that must 
be balanced with a common law approach. The public recognise and value key 
rights, alongside sensible and practical approach of common law. The UK’s 
challenge is to successfully recognise that the UKGDPR is too prescriptive in 
places and that is why we are open and committed to working with 
government to review the existing law in this area. 


We also know that certainty is important for engendering trust between 
businesses and the public in data protection regulation and that principles- 
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based legislation can be challenging for some organisations, particularly those 
that are less mature at thinking about their approach to processing and 
protecting data. These organisations look to the ICO for greater clarity and 
guidance and we have sought to mitigate this through our bespoke SME hub 
and other guidance. 


As the consultation acknowledges this is a complex area and, the pros and 
cons of this approach are likely to vary depending on the area of regulation 
and that there is unlikely to be a one size fits all solution. 


Regulatory coherence and collaboration between regulators are essential: 
Collaboration and coherence between regulators is essential for delivering for 
businesses and citizens, especially around digital services, where it is 
necessary for regulation to be able to respond to the scale and global nature 
of the large digital platforms. 


The ICO participates in several cross regulatory fora and initiatives, including 
the UK Regulatory Network (UKRN) and the Digital Regulatory Cooperation 
Forum (DCRF). 


It is essential that regulators consider the wider regulatory ecosystem in 
which they operate and not just their own regulatory duties. In the area of 
digital regulation, for example, there are a range of varying duties held by the 
different regulators, including competition, the interests of citizens, 
consumers, and privacy - some or all of which might be issues in a digital 
services-based investigation being taken forward by an individual regulator®. 
To ensure they are given equal weight, one option would be a general duty to 
cooperate between regulators or a duty to consult other regulators on cross 
cutting regulatory outcomes. 


Further ideas to address barriers and strengthen regulatory cooperation can 
be found in the DRCF’s response to DCMS'’s review in this area. 


8Digital Regulatory Cooperation Forum’s response to DCMS on the future of the digital regulatory landscape 
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International Standards and cooperation: The UK’s regulatory framework 
needs to support businesses to compete internationally on a level playing 
field, promoting high standards and protection to citizens and consumers. A 
domestic regulatory framework that promotes high standards, innovation and 
competition is especially important, but globalisation presents challenges to 
regulation that cannot be dealt with in isolation. 


From a data protection perspective, the responsible use of personal data and 
the ability to access official information are rights enjoyed in over 100 
countries around the world. Data protection is an example of a regulatory 
sphere that displays characteristics of international convergence, with many 
countries such as Brazil and India introducing new laws based on international 
standards - such as the OECD privacy guidelines, Council of Europe 
Convention 108 and GDPR. Convergence and interoperability with these 
global principles are important for frictionless flows of data and digital 
innovation across border in fields such as AI. 


In an increasingly digital world, these are issues that transcend national 
borders and therefore benefit from global cooperation by regulators. The data 
protection framework in the UK provides the ICO with extraterritorial reach, 
which is essential when regulating major online platforms, many of which are 
not domiciled in the UK. This helps ensure a level playing field for UK 
businesses as well as equivalent protections for UK citizens. Extraterritorial 
powers of this kind are now essential for all regulatory regimes operating in 
the international context and need to be considered as part of any review of 
the regulatory framework. 


23) Through our work in organisations such as the OECD, the Council of Europe 


and the Global Privacy Assembly, the UK leads and influences work on the 
interoperability of global data protection regimes and high standards. 


Accountability of Regulators 


24) The consultation rightly draws out the importance of the accountability of 


regulators. Many of the proposals made overlap with those set out in the 
Government’s consultation Data: A New Direction in relation to reform of the 
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ICO’s Governance model which we have covered in detail in our published 
response and will therefore not replicate here. 


One area particularly pertinent to this consultation is the issue of 
Parliamentary accountability. As the consultation acknowledges, one of the 
consequences of a more common law approach to regulation is that it can 
result in less transparency of decision making and it therefore suggests that 
there might be increased accountability to Parliament. One solution to this 
might be the setting up of a Parliamentary Committee for Regulatory 
accountability and oversight that would be separate but complementary to 
the current Departmental Select Committees to which individual regulators 
currently account. 


This new committee would be expert in regulation and could conduct deep 
dives into cross cutting issues for example, the use of fines, market 
interventions, joint regulatory cases such as that involving ICO and the CMA 
examining Google privacy arrangements, and the fitness for purpose of 
powers or overall risk management arrangements at national level. 
Regulators would continue to be accountable to their relevant departmental 
committees for spending, policies, individual sanctions and administration. 


Sandboxes 


27) 


28) 


29) 


The ICO welcomes the Government’s recognition of the role of regulatory 
sandboxes and the importance they have in creating safe operation 
environments that citizens can trust. 


The ICO’s sandbox provides a significant opportunity to support organisations 
to develop truly innovative projects, with considerable public benefits, that 
are compliant with privacy rights. By applying the legislation to new and 
emerging data protection issues, we have been able to use it to inform wider 
guidance and regulatory approaches. 


As we continue to grow our own sandbox, we would support the potential for 
legislation to give regulators powers that would increase the number and 
impact of regulatory sandboxes. We would also welcome the opportunity to 
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share our learning with other regulators. We have already learnt from the 
FCA’s original approach. It would be helpful too, in the context of the 
governments stated aims for a more global Britain, to be able to explore 
internationally-based sandbox with comparable regulators overseas and with 
appropriate safeguards. 


Government might also consider how it can enable regulators to work more 
closely with innovators to test and trial ideas where legislation does not 
currently enable this. For example, the World Economic Forum has 
highlighted the use of experimentation clauses in other jurisdictions’. Pilots of 
this nature might usefully inform future regulatory or legislative reform - 
subject to appropriate safeguards to ensure that businesses are regulated 
fairly, regulatory standards upheld, and any potential adverse impact on 
individuals mitigated. 


October 2021 


° Agile Regulation for the Fourth Industrial Revolution: A Toolkit for Regulators 


Page 8 of 8 


